Responsible Disclosure

At SoundCloud, we take the safety of our users very seriously. If you believe you have discovered a possible security vulnerability on our platform, API(s), app(s), or in any other SoundCloud service, please help us to fix it as quickly as possible by discovering your findings in accordance with this policy.

Publicly disclosing a vulnerability can put the entire community at risk, so we urge you to keep matters private until a fix can be rolled out from our side.

Please include as much information as possible in your report, including a way for us to reproduce the issue.

We will confirm receipt of valid reports within 24 hours (on a business day); a member of the security team will look into your finding within a week’s time, and get back to you next.

Please do not make your research or findings public or share them with anyone until we have had a chance to investigate and roll out a fix.

Permitted Research

Whitehat security researchers are always welcome, and responsible research and disclosure is not a matter for our lawyers. However, we do not tolerate any of the following, which will always be reported to the relevant authorities:

any attempt to modify or destroy data

any attempt to interrupt or degrade the services we offer to our users

any attempt to execute a Denial of Service attack

any attempt to access a user's account or data

any research that involves violation of any applicable law

Please only test for vulnerabilities on SoundCloud systems - systems hosted by third parties (e.g. blog.soundcloud.com, help.soundcloud.com) are NOT within scope of this policy.

Reward Program

Researchers that responsibly disclose qualifying issues in accordance with this policy may be eligible for a reward and/or inclusion in our Hall of Fame.

Qualifying issues are web vulnerabilities with a valid attack scenario, which demonstrate exploitability and have significant impact on our users or our infrastructure, including:

Security vulnerabilities in third-party websites and applications that integrate with SoundCloud

Issues affecting outdated or unpatched browsers

Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible to attack

Whether or not an issue is a qualifying issue, as well as eligibility for a reward and/or inclusion in our Hall of Fame, are decisions taken by SoundCloud in its discretion. Only the first researcher to report a specific qualifying issue is eligible for a reward and/or inclusion in our Hall of Fame, and we reserve the right to cancel this program at any time without notice.

Hall of Fame

On behalf of our millions of users, we would like to give a shout-out here on our Hall of Fame to all security researchers that have helped us keep SoundCloud safe by reporting a security vulnerability to us responsibly - we really appreciate it!

Michael Cowell (compl3x)<

joernchen of Phenoelit

Egor Homakov

Mariano Di Martino

M.R.Vignesh Kumar (@vigneshkumarmr)

Atulkumar Hariba Shedage

Ajay Singh Negi

Thamatam Deepak

Mohamed Ramadan

Yuji Kosuga

Kamil Sevi (@kamilsevi)

Emanuel Bronshtein

Adam Ziaja

Rafay Baloch (@rafaybaloch)

Frans Rosén (@detectify)

Nils Jünemann

Maxim Rupp

Abhinav Karnawat \/ w4rri0r \/

Mathias Karlsson (@detectify)

Saqib Kamran (@saqibkamran)

Jaime Manteiga

Riyaz Walikar

Muhammad Waqar (@MuhammadWaqar_9)

Ehraz Ahmed (@ehrazofficial)

Veli-Pekka Vainio (@veeeeep)

Jatinpreet Singh (@SillyGeek)

Sasi Levi (@sasi2103)

Tejash Patel (@tejash1991)

Ankit Bharathan

Javid Hussain (@javidhussain21)

Anand Prakash (@sehacure)

Abdelhamid Aboulouafa (@_ham1d)

Ashar Javed (@soaj1664ashar)

Denis Kolegov (@dnkolegov)

Masato Kinugawa

Luis Felipe Teixeira (@vergl4s)

Siddhesh Gawde (pen3t3r)

Ali Hasan Ghauri (@alihasanghauri)

J. M. Gazzlay (@gazly)

Tom Van Goethem (@tomvangoethem)

Mathias Bynens (@mathias)

Umer Shakil (@umer_djzz)

Rafael Pablos

Nakul Mohan (@Nakul_Mohan_Cia)

Simone Memoli (@Simon90_Italy)

Ketan Sirigiri ((@Cigniti)

Garry Bacalso

Hammad Shamsi

Max Prietzel

Waleed Ezz Eldin (WIBF)

Dennis Baaten (@dennisbaaten)

Momen Basel (@momenbassel)

Abdul Haq Khokhar (@abdulhaqkhokhar)

Mazen Gamal Mesbah (@MazenGamal)

Evan Ricafort (@evanricafort)

Mohammed Fayez Albanna

Mohamed Abdelbaset Elnoby (@SymbianSyMoh)

Hamid Ashraf (@hamihax)

Saurabh Gandhi (Sam Gandhi)

Paulos Yibelo

Jonathan Metzman

Achanta Varun Chowdary (@varunmuna53)

Yash Pandya (@eryash9_yash)

Abdul Rehman (@Abdul_R3hman)

Abhibandu Kafle (@kabhi_kav)

Shahmeer Amir (@Shahmeer_Amir)

Zeyad Khaled Mohamed (@zeyadk99)

Jeroen Blevi (@triponoid)

Victor Hylejam Flores Olivares (@victorhylejam)

Ahmed Y. Elmogy (@mogyhacker)

Ahmed Mehtab (@ahmedmehtabPK)

Koutrouss Naddara (@KoutroussNaddar)

Haider Kamal (@haiderkamal122)

Tony Trummer

Sergey Bobrov (@Black2Fan)

Dhaval Chauhan (@17haval)

Ashutosh Kumar (@ccfisinfo)

Ashish Pathak (@pathakbackz)

C Vishnu Vardhan Reddy (@Vishnu_dfx)

Callum Carney

Ahmed Adel Abdelfattah (@00SystemError00)

Rui Silva (@ruisilva2015)

​If you have previously disclosed a security issue in accordance with this policy and believe your name is missing from this list, please email us at whitehat@soundcloud.com.